Data breaches continue to be a persistent issue without a simple solution, as evidenced by the recent breach of the background-check service National Public Data. This incident highlights the escalating dangers and complexity of such breaches. After months of uncertainty, National Public Data has finally confirmed the breach, coinciding with a large amount of stolen data being leaked online.
In April, a hacker known as USDoD started selling a data set on cybercriminal forums for $3.5 million. The data, said to include 2.9 billion records, purportedly affected "the entire population of the USA, CA, and UK." As the weeks passed, samples of the data emerged, with researchers and other actors verifying its authenticity. By early June, it was confirmed that the data contained information like names, emails, and physical addresses.
Although the data's accuracy varies, it appears to consist of two main sets. One contains over 100 million legitimate email addresses along with other personal information. "There appears to have been a data security incident that may have involved some of your personal information," National Public Data announced on Monday. "The incident is believed to have involved a third-party bad actor who attempted to access data in late December 2023, with potential leaks occurring in April 2024 and summer 2024. The breached information includes names, email addresses, phone numbers, Social Security numbers, and mailing addresses."
The company stated it is cooperating with law enforcement and government investigators. National Public Data now faces potential class action lawsuits due to the breach.
"We have become desensitized to the continuous leaks of personal data, but there is a serious risk," says security researcher Jeremiah Fowler, who has been monitoring the National Public Data situation. "It may not be immediate, and it could take years for criminals to figure out how to use this information effectively, but a storm is coming."
When data is stolen from a single source, such as Target, it is relatively easy to trace the source. However, when information is stolen from a data broker and the company does not disclose the incident, it becomes much harder to verify the data's legitimacy and origin. Often, people whose data is compromised are unaware that National Public Data held their information.
Security researcher Troy Hunt noted in a blog post, "The only parties that know the truth are the anonymous threat actors and the data aggregator. We're left with 134M email addresses in public circulation and no clear origin or accountability." Even when a data broker admits to a breach, as National Public Data has, the stolen data may be unreliable and mixed with other datasets. Hunt found many email addresses paired with incorrect personal information, along with numerous duplicates and redundancies.
"There were no email addresses in the Social Security number files," noted Hunt, who operates the website Have I Been Pwned (HIBP). "If you find your email in this data breach via HIBP, there's no evidence your SSN was leaked, and the data next to your record may be incorrect."
For those whose Social Security numbers were included in the breach, the threat of identity theft remains significant. They are forced to freeze their credit, monitor credit reports, and set up financial monitoring services. Notifications about the breach have already been sent out by credit monitoring and threat intelligence services. Although the stolen data is flawed, researchers warn that every data set attackers obtain can fuel scamming, cybercrime, and espionage when combined with other personal data compiled by criminals over the years.
"Each data breach is a puzzle piece, and bad actors and certain nations are collecting this data," Fowler says. "When combined systematically and organized in a searchable way, numerous breaches can provide a complete profile of individual citizens."
